514When Seeing Isn't Believing: On Feasibility and Detectability of Scapegoating in Network TomographyShangqing Zhao, Zhuo Lu and Cliff Wang
University of South Florida, University of South Florida, North Carolina State University/ Army Research Office

Network tomography is a vital tool to estimate link qualities from end-to-end network measurements. An implicit assumption in network tomography is that observed measurements indeed reflect the aggregate of link performance (i.e., seeing is believing). However, it is not guaranteed today that there exists no anomaly (e.g., malicious autonomous systems and insider threats) in large-scale networks. Malicious nodes can intentionally manipulate link metrics via delaying or dropping packets to affect measurements. Will such an assumption render a vulnerability when facing attackers? The problem is of essential importance in that network tomography is developed towards effective network diagnostics and failure recovery. In this paper, we demonstrate that the vulnerability is real and propose a new attack strategy, called scapegoating, in which malicious nodes can substantially damage a network (e.g., delaying packets) and at the same time maliciously manipulate end-to-end measurement results such that a legitimate node is misleadingly identified as the root cause of the damage (thereby becoming a scapegoat) under network tomography. We formulate three basic scapegoating approaches and show under what conditions attacks can be successful. We also reveal conditions to detect such attacks. Our theoretical and experimental results show that simply trusting measurements leads to scapegoating vulnerabilities. Thus, existing methods should be revisited accordingly for security in various applications.